在/etc/sudoers.d/中添加本地内容,而不是通过visudo直接修改sudoers文件

Modified on: Sat, 09 Jun 2018 04:08:23 +0800

您能否请我找一些关于/etc/sudoers.d /

的例子和更详细的说明

我想给一些组权限sudo一些命令,但是以一种正确的方式不要在多用户机器上的Ubuntu安全模型中创建不必要的漏洞。

在古代,我做了一些简单的sudoers定制,但显然现在/etc/sudoers.d/是一种更合适的方式,我想更好地理解它。

最佳答案

看起来没有人敢,所以我做了自己的研究。结果如下。

此线程https://superuser.com/questions/869144/why-does-the-system-have-etc-sudoers-d-how-should-i-edit-it强调/ etc / sudoers是一个系统 - 在系统升级时更改的宽配置文件,对于不正确的更改非常脆弱。即您可能会失去系统访问权限,或者在不正确的更改时不再启动它。

$ sudo cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#

(... some other content ...)

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

相反您可能认为#includedir指令不是注释掉。 有效并且可以在/etc/sudoers.d目录中包含所有文件。

此目录的内容在系统升级后仍然存在,而且sudo对此严格要求:

  1. 文件中的错误不会导致sudo失败。
  2. 权限规则似乎不那么严格。
  3. 醇>

    因此,不太可能因为错误而使系统崩溃。

    $ ls -l /etc/sud*
    -r--r----- 1 root root  755 sty 20 17:03 /etc/sudoers
    
    /etc/sudoers.d:
    total 7
    -r--r----- 1 root root 958 mar 30  2016 README
    $ sudo cat /etc/sudoers.d/README
    #
    # As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
    # installation of the package now includes the directive:
    # 
    #   #includedir /etc/sudoers.d
    # 
    # This will cause sudo to read and parse any files in the /etc/sudoers.d 
    # directory that do not end in '~' or contain a '.' character.
    # 
    # Note that there must be at least one file in the sudoers.d directory (this
    # one will do), and all files in this directory should be mode 0440.
    # 
    # Note also, that because sudoers contents can vary widely, no attempt is 
    # made to add this directive to existing sudoers files on upgrade.  Feel free
    # to add the above directive to the end of your /etc/sudoers file to enable 
    # this functionality for existing installations if you wish!
    #
    # Finally, please note that using the visudo command is the recommended way
    # to update sudoers content, since it protects against many failure modes.
    # See the man page for visudo for more information.
    #
    

    请注意,此目录中的文件应使用visudo命令进行编辑:

    $ sudo visudo -f /etc/sudoers.d/veracrypt
      GNU nano 2.5.3        File: /etc/sudoers.d/veracrypt.tmp                      
    
    # Users in the veracryptusers group are allowed to run veracrypt as root.
    %veracryptusers ALL=(root) NOPASSWD:/usr/bin/veracrypt
    

    请注意,visudo可能会使用不同的编辑器来执行此处所述的实际任务:https://help.ubuntu.com/community/Sudoers

    以下是我发现的一些有用的链接:


相关问答

添加新评论